web.config encryption for web sites

6
votes

i already found information about how to encrypt the web.config with a custom provider and certificate for web roles in order to secure connection strings and other settings.

Is this also possible for web sites? If not how can i secure my connection string for web sites? i know i can manage connection strings in the azure portal but these are also stored in clear text. So in case someone gains access to the web.config or the azure management he will be able to read all data.

Also see:

http://www.heikniemi.net/hardcoded/2013/06/encrypting-connection-strings-in-windows-azure-web-applications/comment-page-1/#comment-173488

http://blogs.msdn.com/b/sqlazure/archive/2010/09/10/10060395.aspx

1
azureweb-configconnection-string
I wish web.config encryption (especially for sensitive information such as connection strings) is built into ASP.NET rather than jumping through through hoops to set it up. - ahmed.eltawil

1 Answers

3
votes

Store key-value string pairs (connection strings and other secrets) in Azure configuration information associated with a website. This sensitive information then never show up as cleartext in a web.config

http://azure.microsoft.com/blog/2013/07/17/windows-azure-web-sites-how-application-strings-and-connection-strings-work/

This should be sufficiently secure - if azure admin credentials get compromised, you lose everything, not just connection strings - an attacker can simply use web sites remote debugging to get any info stepping through the program even if you had a way to encrypt/decrypt connection strings.

-Simon.